CVE-2026-21783 - Vulnerability Details

- HCL Traveler is affected by sensitive information disclosure

Description

HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.

Published: 2026-03-24

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to obtain sensitive information through error messages that include internal paths, file names, tokens, credentials, error codes, and stack traces. This can expose the system’s architecture and provide an attacker with valuable information for planning further attacks. The weakness is classified as CWE-209, which involves the accidental display of sensitive data in an error condition.

Affected Systems

Affected systems include HCL Traveler from HCLSoftware. No specific version information is provided in the available data, so all current installations of HCL Traveler are considered at risk until a patch or mitigation is applied.

Risk and Exploitability

The CVSS score of 4.3 indicates low to medium severity, and the EPSS score is under 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, which further suggests it is not actively exploited by major threat actors. The most probable attack vector is through the application’s web interface, where error responses are returned to the client. If an attacker can trigger specific errors, they may receive detailed messages. As no direct exploitation is provided, the risk remains primarily informational.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HCLSoftware

Traveler

unaffected

Version	Status	Constraints
`< 14.5.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:hcltech:traveler:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Hcltech

Traveler

100%

Version	Status	Scheme	Platform
`[0,14.5.1.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check for a vendor‑supplied patch or security fix for HCL Traveler and apply it if available.
Disable or suppress detailed error messages in HCL Traveler’s configuration to ensure only generic error responses are returned.
Restrict access to error logs and trace files so that only authorized personnel can view them.
Monitor application logs for suspicious error patterns that may indicate an attempt to exploit the data disclosure vulnerability.

Generated by OpenCVE AI on April 1, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:hcltech:traveler::::::::

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hcltech Hcltech traveler
Vendors & Products		Hcltech Hcltech traveler

Tue, 24 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.
Title		HCL Traveler is affected by sensitive information disclosure
Weaknesses		CWE-209
References		https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Hcltech Traveler

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2026-03-24T19:48:39.079Z

Updated: 2026-03-24T20:31:43.245Z

Reserved: 2026-01-05T16:08:02.276Z

Link: CVE-2026-21783

Vulnrichment

Updated: 2026-03-24T20:31:37.246Z

NVD

Status : Analyzed

Published: 2026-03-24T20:16:26.093

Modified: 2026-03-31T21:02:00.767

Link: CVE-2026-21783

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:59:23Z

Weaknesses

CWE-209

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object